# Plonk and PLookup ## 1. Framework and Compilers ### 1.1 Polynomial Protocol Framework Here is a common framework used by Plonk and Plookup. We prove statements about secret polynomials $f_1,\ldots,f_t$ of degree $<d$. The statements are polynomial identities over some domain $H$ which involve public polynomials $g_1,\ldots,g_l$ of degree $<d$ and $G$: $$F(X)\overset{def}{=}G(X,h_1(v_1(X)),\ldots,h_M(v_M(X)))\equiv 0$$ where $F$ has degree $<D$ and $h_i$ is some $f_{i_j}$ or $g_{i_j}$. We start with an interactive proof protocol: 1. Prover $\mathbf{P}$ sends $f_1,\ldots,f_t$ to Checker $\mathbf{I}$. 2. Verifier $\mathbf{V}$ sends $\{F_i\}$ to $\mathbf{I}$. 3. $\mathbf{I}$ verifies identities and tells $\mathbf{V}$. The first step in converting it into a practical protocol is to change the domain to the full space $\mathbb{F}$: 1. $\mathbf{P}$ sends $f_1,\ldots,f_t$ to $\mathbf{I}$. 2. $\mathbf{V}$ sends $a_1,\ldots,a_k$ to $\mathbf{P}$. 3. $\mathbf{P}$ computes the numerator $Z(X) = \prod_{a\in H}(X-a)$ and *quotient polynomial* $$T = \frac{\sum_i a_i F_i}{Z}$$ and sends it to $\mathbf{I}$. 4. $\mathbf{I}$ verifies identity $$\sum_i a_i F_i(X) \equiv T \cdot Z$$ and tells $\mathbf{V}$. ### 1.2 Two-party Compiler The second step is to compile the polynomial protocol into a protocol with just two parties $\mathbf{P}$ and $\mathbf{V}$. This is done using polynomial commitments. We denote a commitment of $f$ by $\mathbf{cm}(f)$ and the opening at point $x$ protocol by $\mathbf{open}(f(x),x,\mathbf{cm}(f))$. The compiler works as follows: 1. Replace sending $f_i$ to $\mathbf{I}$ with sending $\mathbf{cm}(f_i)$ to $\mathbf{V}$. 2. To verify identity $F$, $\mathbf{V}$ selects random $x$ and sends it to $\mathbf{P}$. 3. $\mathbf{P}$ replies with $\{s_i=h_i(v_i(x))\}$ and engages in $\mathbf{open}$ for $s_i$. 4. $\mathbf{V}$ verifies that $G(x,s_1,\ldots,s_M)=0$. The prover complexity consists of two parts: * Computing $t$ commitments. * Open $t$ polynomials in $t^*\leq M$ distinct points $v_i(x)$ and prove openings. A version of pairing-based (groups $\mathbb{G}_1,\mathbb{G}_2,\mathbb{G}_T$), trusted setup [KZG10] commitment scheme gives the complexity * $\sum_{i\leq t} deg(f_i)$ exponentiations in $\mathbb{G}_1$ to compute commitments; * $\sum_{i\leq t^*} d_i$ exponentiations to open and prove, where $d_i$ is the maximum degree of a function opened at $i$-th point. * $t+2t^*$ elements of $\mathbb{G}_1$ are transferred as commitments and openings. Another optimization is to set $r<t^*$ points and openings so that $G$ reduces to a multivariate (of remaining points) polynomial $G'$ of degree 1. Then $\mathbf{V}$ can compute $\mathbf{cm}(G')$ using $s_i$ and $\mathbf{cm}(f_i)$ and then engage in another opening protocol to ensure it opens to 0 at $x$. ### 1.3 Non-interactive protocol To compile into a non-interactive protocol, we note that all Verifier messages are public coins, and then replace them with Fiat-Shamir calls over the transcript of the protocol. ### 1.4 Zero Knowledge ## 2. Circuits and Identities ### 2.1 Circuits with Additions and Multiplications Suppose $\mathbb{F}$ has a multiplicative subgroup $H$ of order $n-1$. Consider an arithmetic circuit of $n$ gates representable in the following form ($i\in [n]$): $$(\mathbf{q}_{\mathbf{L}})_i\cdot \mathrm{x}_{\mathbf{a}_i} + (\mathbf{q}_{\mathbf{R}})_i\cdot \mathrm{x}_{\mathbf{b}_i} + (\mathbf{q}_{\mathbf{O}})_i\cdot \mathrm{x}_{\mathbf{c }_i} + (\mathbf{q}_{\mathbf{M}})_i\cdot \mathrm{x}_{\mathbf{a}_i} \cdot \mathrm{x}_{\mathbf{b}_i}+\mathbf{q}_{\mathbf{C}_i}$$ where $\mathbf{a},\mathbf{b},\mathbf{c}\in[m]^n$ (wire assignment vectors and $\mathbf{q}_{\mathbf{L}},\mathbf{q}_{\mathbf{R}},\mathbf{q}_{\mathbf{O}},\mathbf{q}_{\mathbf{M}},\mathbf{q}_{\mathbf{C}}$ are public vectors of coefficients (selector vectors). Let $\mathfrak{S}$ be partition of $[3n]$ according to $\mathbf{a},\mathbf{b},\mathbf{c}$ (i.e. $m$ sets). Let $\sigma$ be a permutation on $[3n]$ such that it consists of $m$ cycles going over the elements of $\mathfrak{S}$. Then we prove the following identities: 1. Circuit correctness: $$\mathbf{q}_Lf_L + \mathbf{q}_Rf_R + \mathbf{q}_Of_O+ \mathbf{q}_Mf_Lf_R +\mathbf{q}_C +PI =0$$ where $\mathbf{q}_L,\mathbf{q}_R,\mathbf{q}_O,\mathbf{q}_M,\mathbf{q}_C$ interpolate the selector vectors and $f_L,f_R,f_O$ interpolate $\mathrm{x}_{\mathbf{a}},\mathrm{x}_{\mathbf{b}},\mathrm{x}_{\mathbf{c}}$. For this identity the committed polynomials are $f_L,f_R,f_O$ of degree $n-1$. 2. Permutation check: $$\sigma(f_L,f_R,f_O)=(f_L,f_R,f_O)$$ For this identity the committed polynomial is $Z$ of degree $n$. 3. Quotient polynomial We compute and commit a polynomial $T$ of degree $3n-1$. 4. Total prover complexity is the sum of commitment degrees +1 ($7n+1$) plus sum of maximal degrees at evaluation points $x$ and $gx$, i.e. $3n+n+1 = 4n+1$, in total $11n+2$. ### 2.2 Identity for Permutation check We check that $$\sigma(f_1,f_2,\ldots,f_k) \overset{?}{=} (g_1,g_2,\ldots,g_k)$$ 1. Define $$f_j' = f_j + \beta\cdot\underbrace{(j-1)n+\log_{\mathbf{g}} x}_{S_{ID_j}} + \gamma$$ and $$g_j' = g_j + \beta\cdot\underbrace{\sigma((j-1)n+\log_{\mathbf{g}} x)}_{S_{\sigma_j}} + \gamma$$ 2. Define multiproduct $$f' = \prod f_j';\quad g'= \prod g_j'.$$ 3. Define incremental product polynomial: \begin{align*} Z(\mathbf{g}^i) = f'(\mathbf{g})\cdot f'(\mathbf{g}^2)\cdots f'(\mathbf{g}^{i-1})/\left( g'(\mathbf{g})\cdot g'(\mathbf{g}^2)\cdots g'(\mathbf{g}^{i-1})\right).\\ \end{align*} 4. Prove identities: \begin{align*} [a=\mathbf{g}](Z(a)-1) &=0; \\ Z(a) f'(a) &=g'(a) Z(a\mathbf{g}). \end{align*} The correctness as follows. Let $\sigma(i)\neq i$ for some $i$. Then an elementary proof implies that $f'\neq g'$, which means that the second equation can not hold with the other. ### 2.3 Table Identity Let $d\leq n$. We can prove that $\mathrm{x}_{i\in[n]}\subset T=\{t_i\}_{i\in[d]}$ for all $i$. Interpret $T$ as vector $\mathbf{t}$ and let $\mathbf{s}$ be the vector $\mathbf{x}||\mathbf{t}$ sorted by $\mathbf{t}$ (i.e. the values appear in the same order as in $\mathbf{t}$). Let $f$ interpolate $\mathrm{x}$, $h_1$ interpolate $\mathbf{s}$ on first $n+1$ points, and $h_2$ interpolate $s$ on last $n+1$ points. Then $\mathbf{P}$: 1. Sends polynomials $f,h_1,h_2$ to $\mathbf{I}$; 2. Gets $\beta,\gamma$ from $\mathbf{V}$. 3. Computes polynomial $Z'$ of degree $n$ using $\mathbf{s},\mathbf{x},\mathbf{t}$: $$Z(g)=Z(g^{n+1})=1;\quad Z(g^i) = \frac{(1+\beta)^{i-1}\prod_{j<i}(\gamma+f_j)\prod_{1\leq j<i}(\gamma(1+ \beta)+t_j+\beta t_{j+1})}{\prod_{1\leq j<i}(\gamma(1+\beta)+s_j+\beta s_{j+1})(\gamma(1+\beta)+s_{n+j}+\beta s_{n+j+1})}$$ 4. Sends $Z'$ to $\mathbf{I}$. Then $\mathbf{V}$ asks $\mathbf{I}$ to verify 4 identities on $f,h_1,h_2,Z$, the highest degree is $3n+2$. <!-- The complexity is determined by the identity check. We have the quotient polynomial of degree $3n+1-(n+1)=2n$. The commitment cost is $(n+1)+(n+1)+(n+1)+(2n+1)=5n+4$. Then $e_1=2n$ and $e_2=n+1$. In total we have complexity $8n+5$. --> ### 2.4 Vector Tables We prove that $(\mathrm{x}_{a_i},\mathrm{x}_{b_i},\mathrm{x}_{c_i})\in T$ for $i \in [n]$ and $[a_i],[b_i],[c_i]$ being some vectors of length $n$. 1. Prover sends polynomials $f_{a},f_{b},f_{c}$ to $\mathbf{I}$. 2. $\mathbf{V}$ sends challenge $\delta$ to $\mathbf{P}$. 3. $\mathbf{P}$ computes table $T'=\{(T[i][1]+\delta T[i][2]+\delta^2 T[i][3])\}$. 4. $\mathbf{P}$ computes $Z'$ using $x=x_a+\delta x_b+\delta^2 x_c$ and sends to $\mathbf{I}$. 5. $\mathbf{V}$ asks the same 4 identities as for regular tables using $f=f_a+\delta f_b+\delta^2 f_c$. ### 2.5 Multiple Tables Let us have $s$ tables $T_1,T_2,\ldots,T_s$. We prove that $(\mathrm{x}_{a_i},\mathrm{x}_{b_i},\mathrm{x}_{c_i})\in T_{y_i}$ for $i \in [n]$ and $y_i\in [s]$. Note that this happens if and only if for any $\delta_1,\delta_2,\delta_3$ it holds that $$x_i = \mathrm{x}_{a_i}+\delta_1\mathrm{x}_{b_i}+\delta_2\mathrm{x}_{c_i}+\delta_3 y_i\in T'$$ where $$T'=\{T_{j}[k][1]+\delta_1T_{j}[k][2]+\delta_2T_{j}[k][3]+\delta_3j\}_{ j\in[s],\;k\text{ goes for all rows of }T_y}$$ Let $f_t$ be a degree-$n$ interpolant of $[y_0,y_1,\ldots,y_{n-1}]$: $f_t(g^i)= y_i$. 1. Prover sends polynomials $f_{a},f_{b},f_{c}$ to $\mathbf{I}$. 2. $\mathbf{V}$ sends challenges $\delta_1,\delta_2,\delta_3$ to $\mathbf{P}$. 3. $\mathbf{P}$ computes table $T'=\{T_{j}[k][1]+\delta_1T_{j}[k][2]+\delta_2T_{j}[k][3]+\delta_3j\}$. 4. $\mathbf{P}$ computes $Z'$ using $x=x_a+\delta_1 x_b+\delta_2 x_c+ \delta_3 y$ and sends to $\mathbf{I}$. 5. $\mathbf{V}$ asks the same 4 identities as for regular tables using $f=f_a+\delta_1 f_b+\delta_2 f_c+\delta_3 f_t$. ## 3.Poseidon ### 3.1 Specification For Poseidon of width $3$ (processing $(2$ elements per call). 1. $\mathbf{X}=(X_1,X_2,X_3)$ is state. 2. For $1\leq i \leq 4$: 2.1 $X_j \leftarrow (X_j)^5$; 2.2 $\mathbf{X}\leftarrow A\cdot \mathbf{X} +\mathbf{C}_i$ where $A$ is matrix, $\mathbf{C}_i$ are round constants. 3. For $5\leq i \leq 61$: 3.1 Only the last element is changed: $X_3 \leftarrow (X_3)^5$; 3.2 $\mathbf{X}\leftarrow A\cdot \mathbf{X} +\mathbf{C}_i$. 4. For $62\leq i \leq 65$: 4.1 $X_j \leftarrow (X_j)^5$; 4.2 $\mathbf{X}\leftarrow A\cdot \mathbf{X} +\mathbf{C}_i$ ### 3.2 Regular Plonk prover cost We need $24+57\cdot 3$ multiplications, and for each round we need 6 fan-in-2 additions in the linear phase. Thus in total we need $195 + 65 \cdot 6 = 585$ gates. Thus the prover cost is $11\cdot 585+2 = 6437$ exponentiations. ### Optimized Plonk implementation We designate one polynomial per state variable $X_i$. Each round is described as an equation of degree 5 over $f_1,f_2,f_3$. For $R$ rounds we have a round equation of degree $6R$, which is the only polynomial identity we need. Thus $T$ is of degree $5R$. Overall we spend $8R$ exponentiations for commitments and further $6R$ for openings. In total the cost is $910$, i.e. 7 times smaller than for regular Plonk. ## 4.SHA-256 ### Method 1 We implement SHA-256 with lookups and with 4 state polynomials $x_L,x_R,x_S,x_T$. We have the only type of constraints: * Table: $$(\mathrm{x}_{\mathbf{L}_i},\mathrm{x}_{\mathbf{R}_i},\mathrm{x}_{\mathbf{S}_i},\mathrm{x}_{\mathbf{T}_i})\in T$$ <!-- Note that we can satisfy both at the same time by setting $(\mathbf{q}_{\mathbf{L}})_i=(\mathbf{q}_{\mathbf{R}})_i=(\mathbf{q}_{\mathbf{S}})_i=(\mathbf{q}_{\mathbf{T}})_i=0$ for table gates and --> We aim to fit $2^{12}$ gates so consider tables of size $2^{12}$ and less. We split each 32-bit of a state register into 6-bit chunks $A^1,A^2,A^3,A^4,A^5,A^6$. All rounds are implemented in the same way, we assume that the input is already split into 48 chunks of the state and 6 chunks of the message. * $\Sigma_0,\Sigma_1$ with 21 lookups each: * We split the input of $\Sigma_i$ into three chunks of 5 bits and three chunks of 6 bits each and represent the function as a 3-XOR of 11-to-32 bit mappings, where each mapping consists of 3 2-to-2 lookups, 9 lookups in total:$$\Sigma_{i,j}(A^{2k},A^{2k+1})=(\widehat{A}^{2k,j},\widehat{A}^{2k+1,j});$$ * We use XOR tables to compute 6-bit 2-XOR. We need 6 6-bit 3-XORs, or 12 2-XORs, so 12 more lookups. * Maj function: for each 5/6-bit chunk compute 3 ANDs and 2 2-XORs, thus 30 lookups. * Ch function: for each 5/6-bit chunk compute AND, NAND and 2-XOR, thus 18 lookups. * Addition: we need 6-addition to compute the new E value as $E_{new} = D+H'$ where $H'=\Sigma_1+W+Ch+K+H$ * We implement addition with carry: $$ADD(x,y) = (x+y\bmod{2^6},(x+y)/2^6).$$ * We need 4 such additions to compute one chunk of $H'$, one more addition for $E_{new}$ and then we aggregate carries with fan-3 addition lookup, thus spending 2 lookups. In total we need $7\cdot 6=42$ lookups for $E_{new}$. * We compute $A_{new}=H'+Maj+\Sigma_0$ spending 2 more additions and one more carry aggregator. In total we need $18$ lookups for $A_{new}$. * In total 60 lookups for modular addition. * Therefore we compute one round with 150 lookups. * A message schedule round can be implemented the same way as $\Sigma_0$. This costs 21 lookups. In total we spend $64\cdot 150 + 21\cdot 48 = 10608$ gates. #### Potential improvements * We can drop permutation polynomials since all rounds are the same but we will have to open commitments in significantly more points. * We can use field additions and then carry extraction instead of lookup addtions. This might save 10-12 gates per round (<10%). ### Method 2 We implement SHA-256 with lookups and with 4 state polynomials $x_L,x_R,x_S,x_T,x_U$. We have the only type of constraints: * Table: $$(\mathrm{x}_{\mathbf{L}_i},\mathrm{x}_{\mathbf{R}_i},\mathrm{x}_{\mathbf{S}_i},\mathrm{x}_{\mathbf{T}_i},\mathrm{x}_{\mathbf{U}_i})\in T$$ <!-- Note that we can satisfy both at the same time by setting $(\mathbf{q}_{\mathbf{L}})_i=(\mathbf{q}_{\mathbf{R}})_i=(\mathbf{q}_{\mathbf{S}})_i=(\mathbf{q}_{\mathbf{T}})_i=0$ for table gates and --> We aim to fit $2^{12}$ gates so consider tables of size $2^{12}$ and less. We split each 32-bit of a state register into 4-bit chunks $A^1,A^2,\ldots,A^8$. All rounds are implemented in the same way, we assume that the input is already split into 64 chunks of the state and 8 chunks of the message. * $\Sigma_0,\Sigma_1$ with 20 lookups each: * We group the input of $\Sigma_i$ into four blocks of two chunks and represent the function as a 4-XOR of 8-to-32 bit mappings, where each mapping consists of 4 2-to-2 lookups, 12 lookups in total:$$\Sigma_{i,j}(A^{2k},A^{2k+1} )=(\widehat{A}^{2k,j},\widehat{A}^{2k+1,j});$$ * We use 3-XOR tables to compute 4-bit 3-XOR. We need 8 more lookups. * Maj function: 8 3-to-1 4-bit lookups. * Ch function: 8 3-to-1 4-bit lookups. * Addition: we need 6-addition to compute the new E value as $E_{new} = D+H'$ where $H'=\Sigma_1+W+Ch+K+H$ * We implement 3-addition with carry: $$ADD(x,y,z) = (x+y+z\bmod{2^4},(x+y+z)/2^4).$$ * We need 2 such additions to compute $E_{new}$ and then we aggregate carries with fan-4 addition lookup, thus spending 2 lookups. In total we need $4\cdot 8=32$ lookups for $E_{new}$. * We compute $A_{new}=H'+Maj+\Sigma_0$ spending 2 more additions and one more carry aggregator. In total we need $24$ lookups for $A_{new}$. * In total 56 lookups for modular addition. * Therefore we compute one round with 112 lookups. * A message schedule round can be implemented the same way as $\Sigma_0$. This costs 20 lookups. In total we spend $64\cdot 112 + 20\cdot 48 = 8128$ gates. However, we use a wider state (5 polys vs 4). We also use several tables of size $2^{12}$, though $2^{11}$ should also suffice for $\Sigma_i$. ## AES We can implement AES with S-box lookup tables. We consider the following equations: $$A\cdot S(\mathbf{x}_r) = \mathbf{x}_{r+1} +\mathbf{k}_{r+1}.$$ ### Method 1 In this method we proceed as follows: * Split MC-SR-SB-box outputs of form $a_iS(x_j)$ into 4-bit nibbles $E_{a_i,L},E_{a_i,R}$. * Convert each nibble bit into base-6 representation, so that the expanded nibble $L_{a_i,\cdot}$ is in $\mathbb{Z}_6^4$. * Compute each AK output expanded nibble as integer sum of four expanded nibbles plus key nibble. * Collapse expanded nibbles back into nibbles by evaluating each 3 bits modulo 2. * Compute S-box value as lookup over three nibbles. We prepare the following tables $(x,y\in Z_{16})$: * $T_1:\; (x,y,L_{1,L}(x,y),L_{1,R}(x,y))$ -- for S-box multiplied by 1; * $T_2:\; (x,y,L_{2,L}(x,y),L_{2,R}(x,y))$ -- for S-box multiplied by 2 in $GF(256)$; * $T_3:\; (x,y,L_{3,L}(x,y),L_{3,R}(x,y))$ -- for S-box multiplied by 3 in $GF(256)$; * $XOR:\; (x_1||x_2||x_3||x_4, (x_1\bmod{2})||(x_2\bmod{2})||(x_3\bmod{2})||(x_4\bmod{2}))$ with $x_i\in Z_6$. * The table entries will occupy $\mathrm{x}_{\mathbf{a}_i},\mathrm{x}_{\mathbf{b}_i},\mathrm{x}_{\mathbf{l}_i},\mathrm{x}_{\mathbf{s}_i}$, whereas the table number will be chosen by $\mathrm{q}_{\mathbf{c}_i}$ Our common equation form: $$(\mathbf{q}_{\mathbf{a}})_i\cdot \mathrm{x}_{\mathbf{a}_i} + (\mathbf{q}_{\mathbf{b}})_i\cdot \mathrm{x}_{\mathbf{b}_i} + (\mathbf{q}_{\mathbf{c}})_i\cdot \mathrm{x}_{\mathbf{c }_i} + (\mathbf{q}_{\mathbf{S}})_i\cdot \mathrm{x}_{\mathbf{s}_i} +(\mathbf{q}_{\mathbf{L}})_i\cdot \mathrm{x}_{\mathbf{l }_i} =0$$ Then we have the following equations in each round: * 32 $T_1$ entries: \begin{align}(\mathbf{q}_{\mathbf{a}})_i=(\mathbf{q}_{\mathbf{b}})_i&= (\mathbf{q}_{\mathbf{s}})_i=(\mathbf{q}_{\mathbf{l}})_i=0, (\mathbf{q}_{\mathbf{c}})_i=1\\ (\mathrm{x}_{\mathbf{a}_i},\mathrm{x}_{\mathbf{b}_i},\mathrm{x}_{\mathbf{s}_i},\mathrm{x}_{\mathbf{l}_i},\mathrm{x}_{\mathbf{c}_i})&\in T\end{align} * 16 $T_2$ entries: $(\mathbf{q}_{\mathbf{a}})_i=(\mathbf{q}_{\mathbf{b}})_i= (\mathbf{q}_{\mathbf{s}})_i=(\mathbf{q}_{\mathbf{l}})_i=0$, $(\mathbf{q}_{\mathbf{c}})_i=2$; * 16 $T_3$ entries: $(\mathbf{q}_{\mathbf{a}})_i=(\mathbf{q}_{\mathbf{b}})_i= (\mathbf{q}_{\mathbf{s}})_i=(\mathbf{q}_{\mathbf{l}})_i=0$, $(\mathbf{q}_{\mathbf{c}})_i=3$; * 4 sums to get a nibble after AK, per nibble (i.e. 128 equations) $(\mathbf{q}_{\mathbf{a}})_i=(\mathbf{q}_{\mathbf{b}})_i=(\mathbf{q}_{\mathbf{c}})_i=1$, $(\mathbf{q}_{\mathbf{s}})_i=(\mathbf{q}_{\mathbf{l}})_i=0$; * 32 XOR entries, one per nibble. $(\mathbf{q}_{\mathbf{a}})_i=(\mathbf{q}_{\mathbf{b}})_i= (\mathbf{q}_{\mathbf{s}})_i=(\mathbf{q}_{\mathbf{l}})_i=0$, $(\mathbf{q}_{\mathbf{c}})_i=4$ In total we have 960 lookup gates and 1280 linear equations, the state has 5 state polynomials. The table size is $3\cdot 256 + 6^4 = 2064$. The total complexity is $17\cdot 2240=38080$ exponentiations without key schedule. ### Method 2 Don't split into nibbles, work with entire bytes but use XOR [more frequently](https://hackmd.io/m0fnJ_lPTPahWAhfaiQA7Q#With-smaller-38-sized-tables) due to base-3 representation. Then you use the same number of lookups, but tables have size $3^8=6561$. $$\textsf{LASKA}^{[love\text{ in Czech}]}:\quad \text{Lookup Arguments Suitable for Kingly Applications}$$